IAM 8.4 - Changelog

Airlock IAM 8.4.0

The following tables show the changes from Airlock IAM 8.3 to 8.4.

Config automation features
New	AI-19739	IAM now supports a new YAML configuration format (in addition to the XML configuration). To enable the YAML format use the application parameter (`instance.properties`) `iam.config.format`. See Using YAML.
New	AI-19596	New configuration snippet feature for YAML configurations. A configuration snippet is a modular IAM configuration unit representing a part of a larger configuration. Snippets enable automated composition of IAM configurations by dividing them into manageable units. See Configuration snippets.
New	AI-19984	New CLI commands to connect plugins to plugin properties, plugin list properties, and plugin map properties in YAML configuration files. See usage message of `iam config connect` command. See also Configuration CLIs.
New	AI-19678	New CLI command to validate YAML configuration files. For details, see usage message of `iam config validate` command. See also Configuration CLIs.
New	AI-19836	New CLI to convert XML configuration files to the new YAML format. For details, see usage of `iam config convert` command. See also Configuration CLIs.
New	AI-20179 AI-20449	The Config Editor now shows the technical identifier (`id`) of plugins. The identifier can be edited and searched for. See also Using YAML.

Authentication and Loginapp
New	AI-12602	Airlock 2FA activation code for manual device activation without QR code in Adminapp. The Admin REST API endpoint `/users/userId/tokens/airlock-2fa/activation-letters` now also returns the 16-digit activation code and the code may be displayed in the Airlock 2FA device management in Adminapp's user management. Access to the activation code is protected by then new Adminapp access control action View Airlock 2FA Activation Secrets. See also Token management (Airlock 2FA) and Token enrollment.
New	AI-16759	Client failures during FIDO/Passkey registration and verification are reported to the server. This allows for better logs and makes it possible to use the On Failure Gotos flow step feature to continue the flow. See On-failure Goto (flow concept) and FIDO configuration overview.
New	AI-19344	During FIDO/Passkey passkey registration in the Loginapp, the FIDO key's display name can be auto-generated based on the AAGUID of the FIDO key. It can be edited in a subsequent step. Existing configurations are migrated to preserve the behavior. See also Use case: FIDO passkey registration self-service and Use case: FIDO token migration self-service.
New	AI-19981	FIDO/Passkey transports (UBS, NFC, BLE, device-bound, etc.) can now be stored during the registration of a FIDO key or Passkey. If enabled, they will be used by IAM in the authentication challenge reducing the list of offered devices to the end-user. See FIDO authentication (WebAuthn, U2F, CTAP).
New	AI-19351 AI-19373	The new context retention feature allows specifying a policy determining whether to hold on to a configuration context for a request or a session in the Loginapp. It also supports calls on `/ui/app/` URLs. See Configuration and usage.
New	AI-11311	Show password option on password input fields in Loginapp UI: The new variable `iam-show-password-toggle` in the Loginapp Design Kit allows the end user to see passwords entered in the Loginapp UI in plain. See also Changing the Loginapp UI appearance with the Design Kit.
New	AI-16917	OATH OTP enrollment QR codes can now displayed to the user in auth flows, self-registration flows, and protected self-service flows. This allows the user to self-enroll OATH OTP tokens. See OATH OTP authentication.
New	AI-19524	A new Event Authentication Method Changed is emitted when an Administrator updates the authentication method of a user (add/change or remove) or if the user completes a credential migration process (Complete Migration Step).
Improvement	AI-20454	Responses for failed CAPTCHA checks are no longer delayed.
Improvement	AI-19414	The Airlock 2FA Cooldown Information value map provider has been renamed to Airlock 2FA Authentication Data Map (no manual config changes required) and now also provides information regarding the Auth Token ID (used in transaction approval - see Selection of authentication token and authTokenId usage).
Improvement	AI-19848	The condition Has Suitable Airlock 2FA Device now has a configurable flag to respect cooldown information.
Bugfix	AI-19865	Prevent user enumeration timing attacks on public self-service flows.
Bugfix	AI-19897	Fixed propagation of authentication timestamp in one-shot authentication.
Bugfix	AI-19285	Access restrictions to the `<loginapp>/rest/public/authentication` REST endpoint can now be restricted using conditions. By default, access is allowed for unauthenticated sessions for backward compatibility. By default, access is now disabled for unauthenticated sessions and new IAM installations. For existing setups and configurations, the migration script sets the default to allow access for unauthenticated sessions for backward compatibility. Security Note: If publicly available, this endpoint could be exploited for user enumeration attacks. To prevent these attacks, it is recommended that access to the endpoint is restricted to authenticated users only.
Bugfix	AI-20400	Fixed a bug in the Airlock 2FA Usernameless Authentication Step plugin: QR codes are now valid for the period configured (was always restricted to 30 seconds regardless of the configuration).
Bugfix	AI-19850	Fixed a bug in the plugin Airlock 2FA Authentication Data Map providing information about Airlock 2FA authentication to other steps and plugins: It returned `has_active` for devices in the cool-down state instead of `all_cooldown`.
Bugfix	AI-19527	The Set Context Data Step in the authentication flow did not emit a Context Data Event. This has been fixed and an event is now emitted.
Bugfix	AI-20266	Improved polling in Loginapp (Airlock 2FA, Cronto, and SSI).
Bugfix	AI-20574	The IAM value of the config property Autocomplete of configurable UI plugin Form UI Element is now correctly applied to the HTML form.

Flows
New	AI-15258	All steps can now provide custom additional attributes. See Additional and custom attributes in REST responses.
New	AI-18230	All flow steps now emit events for every step result. These generic events can be processed and filtered in any event subscriber using the Filtered Flow Event plugin. See Events and notifications.
New	AI-18720	Configurable goto targets for failing step results. Depending on the failure type, the flow can be continued at a different position instead of aborting the flow. See On-failure Goto (flow concept).
New	AI-20339	Email OTP is now available for transaction approval flows. See the new step Email OTP Transaction Approval Step. See Transaction approval with email OTP.
Bugfix	AI-18353	Unexpected requests to flow REST endpoints (error code `UNEXPECTED_CALL`) no longer terminate the flow and return a 400 status code instead of 403.
Bugfix	AI-19649	Fixed a bug where it was not possible have a step without CAPTCHA after a step with a custom CAPTCHA provider with `enforceCaptchaForStep=true`.
Bugfix	AI-19582	Fixes a bug which prevented user self-registration flows from successfully using an LDAP Password Repository plugin.

OAuth / OIDC / SAML
New	AI-20125	OAuth2 Token Exchange Delegation: IAM now supports actor tokens of type `urn:ietf:params:oauth:token-type:jwt` to be used in delegation use cases. See Token Exchange service overview and Token Exchange Configuration.
New	AI-18483	In the OAuth 2.0 client credentials grant, the access token can now contain a configurable issuer and audience(s). See Token Exchange Configuration.
New	AI-19316	In the OAuth/OIDC authorization server, a new property Cache-Control Response Header allows setting the `Cache-Control` response HTTP header to the specified value for the following endpoints: /auth-login/rest/oauth2/authorization-servers/authorizationServerId/jwks/ /auth-login/rest/oauth2/authorization-servers/authorizationServerId/.well-known/openid-configuration/ /auth-login/rest/oauth2/authorization-servers/authorizationServerId/.well-known/oauth-authorization-server/ The same setting has been added to the Loginapp >> JWKS Settings. It allows setting the `Cache-Control` response HTTP header for the endpoint `/auth-login/rest/public/jwks/`. See Dynamic client registration configuration and JWKS endpoint.
New	AI-20492	OAuth 2.0 Token Exchange now allows subject tokens without signature verification. See Token Exchange Configuration.
Improvement	AI-19857	OAuth/OIDC performance improvement: If a Grace Period is configured in OAuth 2.0 Authorization Code Grant or OpenID Connect Authorization / Hybrid Code Flow, refresh tokens that have been refreshed at least once are now reduced in validity to the grace period end. Therefore they can be cleaned up much earlier if their lifetime would otherwise be very long. To proactively clean up such tokens, the following query (as an example for Oracle) can be used (for other databases, the logic to calculate the current millis since epoch needs to be adapted accordingly): DELETE FROM TOKEN WHERE TYPE='OAUTH2' AND GENERIC_DATA_ELEMENT_1='refresh_token' AND GENERIC_DATA_ELEMENT_11 IS NOT NULL AND TO_NUMBER(GENERIC_DATA_ELEMENT_11) < (CAST(SYSTIMESTAMP AT TIME ZONE 'UTC' AS DATE) - TO_DATE('1970-01-01', 'YYYY-MM-DD')) * 86400 * 1000
Improvement	AI-19630	SAML single logout: the new flag Clear Gateway Session on Single-Logout in the SAML IDP settings determines whether the Airlock Gateway session is cleared when a SAML single-logout process starts. See SAML Single Logout with temporary Gateway role.
Bugfix	AI-18418	The Loginapp UI now also supports OAuth 2.0/OIDC redirect URIs using a private-use scheme (containing only one slash after the colon, e.g., `com.example.app:/oauth`).
Bugfix	AI-20053	The discovery endpoint lookup in OAuth 2.0 Token Exchange is now also cached using the same timeout as the JWKS response.
Bugfix	AI-20296	The JWT access tokens issued by the OAuth 2.0 Client Credentials Grant now always contain a random `jti` claim.
Bugfix	AI-20458	The JWT Ticket Decoder, OAuth 2.0 Token Request Authentication, and all OAuth2/OpenID Connect endpoints (for example the user info endpoint) now parse the `Bearer` prefix in an `Authorization Header` case-insensitive.

Adminapp and Config Editor
New	AI-20137	The Cronto activation cryptogram may now be displayed in the Adminapp user management and is available in the Admin REST API. Access to it is limited to roles with the new access control action View Cronto Activation Secret. See Cronto Token Controller configuration.
New	AI-20294	The new application parameter `iam.config-editor.standalone` (in instance.properties - alternatively use the environment variable `IAM_CONFIG_EDITOR_STANDALONE`) allows starting the Config Editor in a standalone mode. Given a valid Adminapp configuration, the Config Editor can then be accessed without authentication and be used as a pure editor. See also IAM Config Editor (UI).
New	AI-20087	The plugin ID is now displayed and editable in the Config Editor. Note that the former plugin Identifier - the descriptive name of the plugin - is now called Display Name. The ID refers to the technical identifier: it is a UUID in the XML configuration but can be an arbitrary ID in the new YAML format (see Using YAML).
New	AI-20680	New start configuration template for Loginapp, Adminapp and Service Container with local H2 database and password authentication.
Bugfix	AI-19949	The Adminapp no longer runs into an idle timeout while working in the Config Editor. The Config Editor no longer shows a red banner notifying about a session timeout, but directly redirects to the login page.
Bugfix	AI-19829	Fixed a bug in the Config Editor which may have led to errors resolving the location of the configuration file.
Bugfix	AI-19923	Fixed entry path in gateway mapping template for new Adminapp REST endpoint mappings.
Bugfix	AI-19653	Config Editor sessions are no longer kept alive by internal requests. The Adminapp's idle timeout settings are now respected.
Bugfix	AI-20677	The plugin Regex-based String Transformer can be used as expected in Admin REST Request authentication.

Miscellaneous
New	AI-19979	Redis connection plugins now support the Redis Sentinel mode (for high-availability). See Storing session state in an external Redis session repository.
New	AI-19602	New OpenAPI specifications now support both request and response filtering. See OpenAPI specification and validation.
New	AI-19600	The usage analytics feature allows Airlock to collect license and usage analytics data to improve and optimize future product development. It is enabled and configured in Adminapp >> License and Usage Analytics
Improvement	AI-20274	To improve operating Airlock IAM, some log messages have been modified by changing their log level from `ERROR` to `FATAL`. The message content was not changed. See Loglevel FATAL.
Improvement	AI-19930	Failing to connect to external systems (Futurae service, SMS gateway, email server, RADIUS) from flow steps leads to an error step result that can now be handled using the On Failure Gotos flow step feature to continue the flow. See On-failure Goto (flow concept).
Improvement	AI-20189	Unavailable external systems (SMS gateway, Futurae server, email server, and RADIUS server) no longer count as failed factor attempts.
Improvement	AI-20275	In the LDAP Connection Pool plugin, the key store and trust store can now be configured separately.
Improvement	AI-19703	The LDAP filters configured in the Active Directory Connector and the LDAP Connector now correctly trim newlines and leading or trailing whitespace. Previously this was not done in some cases, especially not in Testlets.
Improvement	AI-20287	The Airlock Gateway mapping templates for IAM now make use of the new Gateway 8.3 features Server-Side Request Forgery deny rule group and enable Overload Prevention. Note the new mapping templates for Gateway 8.3 and newer in Configuration of IAM mappings.
Improvement	AI-19334	The Airlock Gateway mapping templates for IAM now include deny rule exceptions for e-mail request parameters.
Improvement	AI-19809	The Airlock Gateway mapping templates for IAM have been improved: Request Rewrite > Host header translate is now set to `INHERIT` (was `DISABLED`).
Improvement	AI-20198	Existing lock objects in Redis are kept alive and extended by its owning IAM process. This prevents slow requests from losing their locks.
Bugfix	AI-19990	Fixed Use STARTTLS behavior in the SMTP Email Service plugin.
Bugfix	AI-19765	AD Connector and LDAP Connector: Role names that are invalid because they contain control characters are now logged.
Bugfix	AI-19954	Fixes a bug in the XML File Importer Task: avoid NullPointerException when processing empty commands.
Bugfix	AI-19665	Fixed error handling of User Sync Task plugin: The Continue On Errors flag is now respected by all types of errors, i.e., if checked the task does not fail for all types of errors.
Bugfix	AI-20582	Updated Airlock IAM—Microgateway Helm Chart: We have added support for Microgateway 4.5. The chart released with IAM 8.4 is now compatible with Airlock Microgateway versions from 4.3 to 4.5. Use the parameter `.Values.global.microgatewayVersion` to enable compatibility for the respective version of Airlock Microgateway. Fixed a bug where the predefined Deny Rule Exceptions were too permissive for HTTP Methods.
Bugfix	AI-20697	Fixed a bug in the Swissphone SMS Gateway testlet.